Dealer Data, Customer Privacy, and California Franchise Laws

During the past several years, issues involving consumer data have leapt into the forefront of our national conversation. Every week, it seems like we’re reading a new article about another massive data breach. And policymakers on the right and left of the political aisle have announced enforcement actions and legislation designed at reigning-in perceived abuses of consumer information. At the federal level, the Justice Department and the FTC are stumbling over each other in anticipation of pursuing antitrust actions against companies like Google, Facebook, and Amazon. In California, our Attorney General is preparing regulations interpreting the California Consumer Privacy Act (CCPA), the nation’s most sweeping consumer privacy law.

So, what does all of this have to do with your dealership? There are several impacts. First, most dealerships are going to need to develop a CCPA compliance plan. * Second, manufacturers, DMS providers, and OEMs are imposing policies on dealerships in response to the CCPA and increasing concerns about data security and privacy. At least two manufacturers have announced policies that require dealerships to purchase cyber liability insurance, and some DMS providers have a reputation of coercing dealerships into a variety of disadvantageous arrangements.

Considering these developments, dealers should exercise caution when reviewing modifications of OEM and DMS provider policies and/or agreements that involve consumer data or data security. When reviewing these policies and agreements, dealers should take note of the following franchise law protections:

• California Vehicle Code section 11713.13(f)(1)(C). This law requires manufacturers to indemnify dealers for the manufacturer’s improper use and disclosure of nonpublic consumer information.
• California Vehicle Code section 11713.25. This law requires DMS providers and other vendors to: (i) obtain consent before accessing, modifying, or extracting dealer consumer data; and (ii) maintain safeguards to protect consumer information. In certain circumstances, the statute also allows dealers to revoke access of DMS providers and other vendors to dealer data.
• California Vehicle Code section 11713.3(v). This law requires OEMs, and affiliates of OEMs, to: (i) obtain consent before accessing, modifying, or extracting dealer consumer data; and (ii) maintain safeguards to protect consumer information.

*One final note on the CCPA - CNCDA is busily developing compliance resources and tools for our members on the CCPA. In July, we partnered with Helion Technologies to host a webinar on data security, and we partnered with the Arent Fox law firm to host two webinars on the CCPA in April. We are currently working with Arent Fox to develop a CCPA compliance handbook, which should be available to our members by mid-November. If you have any questions about the CCPA, California’s franchise laws, or any other legal compliance issue, do not hesitate to call CNCDA’s legal hotline at 916-441-2599. 

This post was published in CNCDA's August Monthly Bulletin - and authored by Anthony Bento, Director of Legal Affairs